Rich text fields munge html in view mode

[eileenmcnaughton]

Here's a can of worms for ya!

Rich text fields - when edited normally save html to the database - here is what a field looks like in view mode when edited via an inbuilt form

Edited via the contactlayout block they save escaped html - so it looks like this

And here is how it renders when viewed on a 'normal' tab

This is how the field looks in the ContactEditor when it is submitted - ie straight after $values = $this->exportValues();

<p>&lt;p&gt;new stuff&lt;/p&gt;</p>

[nganivet]

Out of context: we recently gave up on trying to fix this same issue in the word replacement admin screen in core: the 'source' and 'replacement' fields have different behaviors with html inputs, making it impossible to enter a word replacement where either the source or replacement string includes html tags.

So most likely not an easy issue to deal with ...

[colemanw]

This appears to be a system-wide problem, possibly caused by the latest round of security fixes. Not just profile forms but core forms are also struggling. Try this:

• Edit a contact's last name to be I<i>am</i>html. Obviously html tags are not allowed in a last name field so the correct behavior is for them to be escaped and displayed literally as-is.
• Now view the contact. Note that the last name is displayed correctly. It should read "I<i>am</i>html".
• But if you click the name to edit, or click "Edit" for the whole contact, it will get garbled. The same problem happens if you stick last_name in a profile block.

[eileenmcnaughton]

@colemanw FYI - editing the same data in the contact custom field block doesn't garble it - but there is a difference here - ie. I am specifically referring to fields that support html - as defined by their html type & data type. I did wonder if there should be a permission to be able to save html data fields since they are intrinsically insecure

[colemanw]

@eileenmcnaughton see civicrm/civicrm-core#12841